grafana

systems/x86_64-linux/jallen-nas/apps.nix

@@ -53,7 +53,7 @@ in
       caddy = enabled;
       cockpit = {
         enable = true;
-        port = 9090;
+        port = 9091;
       };
       calibre = {
         enable = false;

systems/x86_64-linux/jallen-nas/default.nix

@@ -233,7 +233,7 @@ in
 
     services = {
       grafana = {
-        enable = false;
+        enable = true;
         port = 9999;
       };
     };

systems/x86_64-linux/jallen-nas/sops.nix

@@ -140,7 +140,7 @@ in
         group = "keys";
         restartUnits = [
           "nextcloud.service"
-          "prometheus-nextcloud-exporter.service"
+          "prometheus-nextcloud-exporter.service" # actual systemd unit name
         ];
       };
       "jallen-nas/nextcloud/smtp_settings" = {
@@ -285,6 +285,21 @@ in
         sopsFile = defaultSops;
         restartUnits = [ "podman-authenticRac.service" ];
       };
+
+      # ------------------------------
+      # Grafana
+      # ------------------------------
+      # secret_key was previously the upstream default "SW2YcwTIb9zpOOhoPsMm".
+      # It is stored here so Grafana can read it via the file provider without
+      # embedding it in the world-readable Nix store.
+      # To rotate: use https://github.com/erooke/grafana-secretkey-rotation-tool
+      "jallen-nas/grafana/secret-key" = {
+        sopsFile = defaultSops;
+        owner = "grafana";
+        group = "grafana";
+        mode = "0400";
+        restartUnits = [ "grafana.service" ];
+      };
     };
 
     # ------------------------------

systems/x86_64-linux/jallen-nas/users.nix

@@ -44,14 +44,16 @@ in
       };
       root.shell = pkgs.zsh;
 
-      # Allow the Prometheus Nextcloud exporter to read its password secret.
-      prometheus-nextcloud-exporter = {
+      # The NixOS nextcloud exporter runs as 'nextcloud-exporter' (the default
+      # generated by the exporter base module).  Add it to 'keys' so it can
+      # read the SOPS-managed adminpassword secret.
+      nextcloud-exporter = {
         isSystemUser = true;
-        group = "prometheus-nextcloud-exporter";
+        group = "nextcloud-exporter";
         extraGroups = [ "keys" ];
       };
     };
 
-    groups.prometheus-nextcloud-exporter = { };
+    groups.nextcloud-exporter = { };
   };
 }